mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
5b5589e167
- Looser coupling between these analyzers. - New ntlm.log (still pretty early) - Improved string handling for NTLM (convert UTF16 to UTF8) - SMB2 analyzer now supports GSSAPI. - Improved abstraction of DCE_RPC operations (still not finished) - Lots of whitespace cleanup.
54 lines
1.2 KiB
Text
54 lines
1.2 KiB
Text
module NTLM;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the event happened.
|
|
ts : time &log;
|
|
## Unique ID for the connection.
|
|
uid : string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id : conn_id &log;
|
|
|
|
username: string &log &optional;
|
|
hostname: string &log &optional;
|
|
domainname: string &log &optional;
|
|
};
|
|
}
|
|
|
|
redef record connection += {
|
|
ntlm: Info &optional;
|
|
};
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
|
|
}
|
|
|
|
event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
|
|
{
|
|
#print request;
|
|
}
|
|
|
|
event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5
|
|
{
|
|
#print "challenge!!!!!";
|
|
#print challenge;
|
|
}
|
|
|
|
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
|
|
{
|
|
c$ntlm = NTLM::Info($ts=network_time(), $uid=c$uid, $id=c$id);
|
|
if ( request?$domain_name )
|
|
c$ntlm$domainname = request$domain_name;
|
|
if ( request?$workstation )
|
|
c$ntlm$hostname = request$workstation;
|
|
if ( request?$user_name )
|
|
c$ntlm$username = request$user_name;
|
|
}
|
|
|
|
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=-5
|
|
{
|
|
Log::write(NTLM::LOG, c$ntlm);
|
|
}
|